Secure authentication

ABSTRACT

Apparatus, systems, and methods provide a mechanism to enhance the security of operating client devices with systems controlling secure data. Various embodiments include apparatus and methods to authenticate a communication session between a server and a client device without providing authentication tokens to the client device. Additional apparatus, systems, and methods are disclosed.

BACKGROUND

Individuals access and control data in electronic systems on a regularbasis. Such data includes data that is of such a personal nature thatindividuals typically do not want this personal data easily accessibleby unauthorized individuals or systems. Such data can also includeaccess to personal assets, to which a user typically desires accesslimited to the user or to authorized personnel or institutions on auser-controlled basis. Networks and interconnectivity of systems haveprovided a user with relatively easy access to his personal data andassets.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows features of an example arrangement to conduct aninteractive session from a client device to a server using a mobilewireless communications device without providing an authentication tokento the client device, in accordance with various embodiments.

FIG. 2 shows features of an example method of conducting operations in amobile wireless communications device to provide authentication of auser of a client device to a server without the client device beingprovided with an authentication token, in accordance with variousembodiments.

FIG. 3 shows features of an example method of conducting operations in aserver to provide authentication of a user of a client device to theserver without the client device being provided with an authenticationtoken, in accordance with various embodiments.

FIG. 4 shows a block diagram of an example mobile wirelesscommunications device operable to provide authentication of a user of aclient device to a server without the client device being provided withan authentication token, according to various embodiments.

FIG. 5 shows a block diagram of an example server operable to provideauthentication of a user of a client device to the server without theclient device being provided with an authentication token, according tovarious embodiments.

FIGS. 6A-F illustrate a method of operating an application from a serverusing a client device without providing an authentication token to theclient device, according to various embodiments.

FIG. 7 shows a non-limiting example of a secure internet session betweena server and a client computer enabled by a mobile wirelesscommunications device, according to various embodiments.

DETAILED DESCRIPTION

The following detailed description refers to the accompanying drawingsthat show, by way of illustration, details and embodiments in which theinvention may be practiced. These embodiments are described insufficient detail to enable those skilled in the art to practiceembodiments. Other embodiments may be utilized and structural, logical,and electrical changes may be made without departing from the inventivesubject matter. The various embodiments disclosed herein are notnecessarily mutually exclusive, as some embodiments can be combined withone or more other embodiments to form new embodiments. The followingdetailed description is, therefore, not to be taken in a limiting sense.

The same networks and interconnectivity of systems that have providedrelatively easy access to personal data and assets can be manipulated toprovide a path for unauthorized individuals or systems to access andobtain personal data and assets. For example, when signing into secureresources over the internet, a client system used to sign into thesecure resource cannot always be trusted to safeguard personal accesscodes, such as passwords or pins, as a result of malware, viruses, etc,which may be embedded in the client system or have access to the clientsystem. There may also be situations where a user has to employ asystem, in which the user has no trust, such as systems found in aninternet café. Improvements to network-based systems and operation ofthese network-based systems can increase the protection of personal dataand assets to enhance data and asset security.

In various embodiments, a security mechanism provides protection of auser's personal data or access to assets of the user that the user mightprovide in a session with an application on a remote resource, where thesession includes interaction with the server from a client device. Thisdata or access may include, but is not limited to credit card data,log-in access codes, other personal data, and access to applicationsthat control user assets. The security mechanism allows users tosecurely authenticate sign-in, sign-out, and confirm transactions insessions between a server and a client device using their mobilewireless communication device, such as a smartphone, while only everdivulging their username, or equivalent, to the client device. Ausername or equivalent is typically referred to as a log-in. Equivalentsto a username can include an account name, account number, or otherformat for offering an identification. For security of personal access,systems typically prompt for an access code such as a password orpersonal identification number (PIN) to accompany presentation of alog-in. Transactions that are confirmed in this manner typically aresensitive transactions that affect data and/or assets of a user, wheresuch data and assets are to be protected from unauthorized access. Theseresources with which a user may participate in an interactive sessionfrom a client device, such as a client computer, to a server caninclude, but are not limited to, online banking, a virtual privatenetwork (VPN), email services, online health records, online shopping,and other resources using an authentication correlated to the user.

Client devices and servers that control data or operate on data mayinclude various apparatus, such as computer systems or other processingsystems, having hardware and/or hardware and stored executableinstructions to control and/or operate on data. A personal computer (PC)can be used as a component in an interactive session between a serverand a client device. A personal computer, as is generally known, hereinrefers to computing devices having an operating system (OS) such thatuse of the personal computer may be conducted by individuals havinglittle or no knowledge of the basics of the underlying hardware andinstructions that operate the PC and whose operation may be conductedwithout individuals typically authoring computer programs to operate thecomputer. Portable computers may include portable personal computers. Anexample of a portable PC is a laptop computer or notebook computer thattypically has a display screen, keyboard, underlying hardware andsoftware, and a display pointing device that are all integrated in ahousing that can easily be carried by an individual. Another example ofa portable PC is a tablet computer. Some personal digital assistants(PDAs) may be viewed as a type of portable computer.

In various embodiments, a mobile wireless communications device can beimplemented to control and/or execute applications that control and/oroperate on data. The mobile wireless communications devices may include,but are not limited to, mobile telephones, portable computers, PDAs, andother devices that may be conveniently carried by a user and providewireless communication. Mobile telephones include wirelesscommunications devices that have generally been referred to as cellphones. Mobile telephones may include a wide range of communicationdevices from portable phones with limited functionality beyond voicecommunication to portable phones capable of providing functionality of apersonal computer, which portable phones may be referred to assmartphones.

Various instrumentalities can be realized in hardware implementationsand combinations of hardware and software-based implementations. Someportions of the instrumentalities may be described in terms ofalgorithms and symbolic representations of operations on data bitswithin a machine memory. An algorithm is here, and generally, conceivedto be a self-consistent sequence of steps leading to a desired result.The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of physical structures responsive to electrical or magneticsignals, where various of the physical structures are capable of beingstored, transferred, combined, compared, and otherwise manipulated.

The instrumentality may operate to process, compute, calculate,determine, display, and/or conduct other activities correlated toprocesses of a machine, such as a computer system or similar electroniccomputing device, that manipulates and transforms data represented asphysical (electronic) quantities within the machine's registers andmemories into other data similarly represented as physical quantitieswithin the machine memories or registers or other such data storage,transmission, or display devices. The instrumentality may providepersonalized capabilities, provide a pathway to other content, orcombinations thereof. The instrumentality may use distributedapplications, different numbers and types of software based componentsthat couple two or more applications to enable data transfer between theapplications, hardware to provide services from a number of differentsources, and may be realized on a variety of platforms such as serversand content management systems. The instrumentality may include orprovide access to subroutine code, code libraries, application programinterfaces such as interpreters utilizing Java EE™, Simple DirectMediaLayer™ (SDL) and DirectX™, combinations thereof, or other suchelectronic based functionalities.

Herein, an application is a set of instructions physically stored in adevice, where the instructions are executable by a controller to conductone or more tasks associated with operating hardware to perform aspecific set of functions. The controller may be realized as one or moreprocessors. An application can include instructions that, when executed,cause one or more apparatus to operate in a specific manner as directedby the execution of the instructions. An application can includeinstructions in a memory device (or system) that operates on dataphysically stored in the memory device (or system) or in other memorydevices (or systems) such that resulting data is physically stored.

FIG. 1 shows features of an example embodiment of an arrangement 100 toconduct an interactive session from a client device 110 to a server 105using a mobile wireless communications device 115 without providing anauthentication token to client device 110. Herein, an authenticationtoken means an entity to prove identity or gain access to a resource,where the entity is evidence of authority, status, rights, orentitlement to privileges such that only those with properauthentication tokens are admitted access. An authentication token caninclude a password, a PIN, biometric data, an image, a coded image, orother format that can be physically examined by a machine asauthentication to prove identity or gain access to a resource associatedwith a log-in or other offered identification. Biometric data forauthentication can include measurable, distinctive characteristics suchas, but not limited to, fingerprints, face recognition, DNA, palm print,hand geometry, iris recognition, retina recognition, scent, typingrhythm, gait, and voice. It is noted that a log-in, which provides anidentity, is used in attaining access to a system or sensitive data of asystem, but a log-in is not an authentication token, since the log-inprovides an identification and not a verification or authentication ofthe identification.

Mobile wireless communications device 115 includes an application tointeract with server 105 to authenticate client device 110, where theapplication is related to server 100. Mobile wireless communicationsdevice 115 can also include encryption keys to enter into a securecommunication with server 105 and to encode and/or decode data relatedto user authentication with respect to interactive sessions betweenserver 105 and client device 110. Mobile wireless communications device115 can communicate with server 105 over a wireless network, such as,but not limited to, a network to which mobile wireless communicationsdevice 115 subscribes. Client device 115 can communicate with server 105over a network, such as, but not limited to, the Internet.

In an authentication procedure, mobile wireless communications device115 can communicate with client device 110 by capturing an image on adisplay 119 of client device 110 using a camera 118 of mobile wirelesscommunications device 115. The image on display 119 can be the result ofan encoding procedure on server 105 transmitted to client device 110.After capturing the image, mobile wireless communications device 115, inview of the application associated with server 105, decodes the image,responds to the decoded image, and communicates with server 105. Inresponse to the communication from mobile wireless communications device115, if deemed valid according to the authentication application inserver 105, server 105 enters into an interactive session with clientdevice 110. The authentication process can be conducted withoutproviding authentication tokens to client device 110. This arrangementcan be structured in a manner operable with apparatus and processesdiscussed herein, such as apparatus and processes similar to oridentical to apparatus and processes associated with FIGS. 2-7.

FIG. 2 shows features of an example embodiment of a method of conductingoperations in a mobile wireless communications device to provideauthentication of a user of a client device to a server without theclient device being provided with an authentication token. This methodcan be conducted in a manner operable with apparatus and processesdiscussed herein, such as apparatus and processes similar to oridentical to apparatus and processes associated with FIGS. 1 and 3-7. At210, an image displayed on a client device is captured in the mobilewireless communications device. This capture can be conducted using acamera. The image can be an encoded picture, a set of pictures, atwo-dimensional (2D) encoded pattern of varying structures, a 2Dbarcode, or other image that can be constructed to provide encoded data.At 220, the image is decoded in the mobile wireless communicationsdevice.

At 230, a secure communication connection between the mobile wirelesscommunications device and a server is established. The establishment ofthe secure communication connection can be initiated by the mobilewireless communications device. Alternatively, the establishment of thesecure communication connection can be initiated by the server based ona log-in request from the client device to the server, where anauthentication token for user log-in is not provided to the clientdevice. Establishing the secure communication connection between themobile wireless communications device and the server can include usingtransport layer security (TLS). TLS is an industry-standard securityprotocol that provides encrypted network communications. TLS encryptionuses a digital certificate, which contains identity data and a key, suchas a public key, that is used for encrypting communications. The digitalcertificate can be stored on the server. This can provide a securecommunication connection between the mobile wireless communicationsdevice and the server. Other security mechanisms can be used includingconventional security protocols, propriety security protocols, orcombinations of security protocols.

At 240, authenticating data of a user log-in between the client deviceand the server is transmitted to the server, via the securecommunication connection. The authenticating data of the user log-inbeing provided to the server corresponds to the user log-in to theserver being requested from the client device. The authenticating datacan be based on the decoded image in the mobile wireless communicationsdevice. Transmitting to the server authenticating data can includetransmitting data that satisfies a challenge incorporated in thecaptured image.

At 250, after the user log-in, an activity of an interactive sessionbetween the client device and the server is conducted in the mobilewireless communications device and activity based data is transmitted tothe server. The activity can include a confirmation of a transaction ofan application of the server during the interactive session between theclient device and the server. The activity can include a logoff of theinteractive session between the client device and the server. Theconfirmation or the logoff can be conducted via a communication from themobile wireless communications device to the server to complete theconfirmation or the logoff without the authentication token beingprovided to the client device.

Confirmation of a transaction, while running an application from aserver that was launched after user log-in to the server from the clientdevice, can be conducted in a similar manner to authentication of theuser log-in from the client device to the server without providing anauthentication token to the client device. On processing a transactionof an application, in which confirmation of the transaction is to beprovided to the server, a confirmation process can be implemented in themobile communications device. The mobile wireless communications devicecan capture an image displayed on the client device during theinteractive session. The image can be an encoded picture, a set ofpictures, a 2D encoded pattern of varying structures, a 2D barcode, orother image that can be constructed to provide encoded data. This imagecan be captured using the camera of the mobile wireless communicationsdevice. This image is different from the one used to conductauthentication of the user log-in from the client device to the server.This second image includes encoded data that identifies the transactionto be confirmed. It can also include a challenge for the recipient ofthe encoded data to answer via the mobile wireless communicationsdevice. The encoded data may also include data with respect to theauthentication of the log-in of the interactive session from which theencoded data was generated by the server.

The second image can be decoded in the mobile wireless communicationsdevice. Data extracted from the decoding of the second image can be usedto generate a secure confirmation of the transaction. A communication tothe server from the mobile wireless communications device can begenerated in response to decoding the second image. Authenticating dataof the transaction of the interactive session, based on the decodedsecond image, can be transmitted to the server in the communication.Transmitting authenticating data of the transaction can includetransmitting, to the server, an identification of the transaction, wherethe identification is extracted from decoding the second image. The datasent to the server can include details of the transaction.

Logoff of the user based session of the client device from the servercan be conducted via the mobile wireless communications device bygenerating a logoff request and transmitting the logoff request to theserver. The logoff request can include data to terminate connection ofthe server and the client device, where the data may include datacorresponding to the authentication of the user log-in via the mobilewireless communications device.

FIG. 3 shows features of an example embodiment of a method of conductingoperations in a server to provide authentication of a user of a clientdevice to the server without the client device being provided with anauthentication token. This method can be conducted in a manner operablewith apparatus and processes discussed herein, such as apparatus andprocesses similar to or identical to apparatus and processes associatedwith FIGS. 1, 2, 4, 5, 6, and 7. At 310, coded image data is generatedin the server. Coded image data is data that can be used to display animage, where the image can include portions of the data. The data in theimage can be encoded. The coded image data can include datacorresponding to a user log-in to the server. Generating the coded imagedata can include incorporating a challenge in generating the coded imagedata.

At 320, the coded image data is transmitted to a client device. Theclient device corresponds to the requested user log-in related to thecoded image data. At 330, the server enters into a secure communicationconnection with a mobile wireless communications device. Theestablishment of the secure communication connection can be initiated bythe mobile wireless communications device. Alternatively, theestablishment of the secure communication connection can be initiated bythe server based on the log-in request from the client device, where anauthentication token for user log-in is not provided to the clientdevice. Entering into a secure communication connection can includeusing TLS.

At 340, the server receives, via the secure communication connection,authenticating data of the user log-in between the client device and theserver. This authentication process is executed without anauthentication token, corresponding to the user log-in to the server,being provided to the client device. The authenticating data can bebased on the coded image data transmitted to the client device. At 350,the server enters into an interactive session with the client devicebased on the authenticating data. Entry into the interactive session,corresponding to the user log-in from the client device to the server,can be based on comparing the authenticating data received by the serverwith the data of the coded image data generated in the server.

At 360, in response to a communication from the mobile communicationsdevice, an activity related to the entered interactive session can beconducted with the client device. Performing the activity can beconducted after entering into the interactive session. The activity caninclude a confirmation of a transaction of an application of the serverduring the interactive session between the client device and the server.The activity can include a logoff of the interactive session between theclient device and the server. The confirmation or the logoff can beconducted in response to a communication from the mobile wirelesscommunications device to complete the confirmation or the logoff. Theconfirmation or the logoff can be conducted without the authenticationtoken being provided to the client device.

Confirmation of a transaction, while running an application from aserver that was launched after user log-in to the server from the clientdevice, can be conducted in a similar manner as authentication of theuser log-in from the client device to the server without providing anauthentication token to the client device. On processing a transactionof an application, in which confirmation of the transaction is to beprovided to the server, a confirmation process can be implementedbeginning with the server generating an identification of thetransaction. The server may also generate other data to be conveyed to auser for confirming the transaction. The identification and other datacan be encoded into coded image data. This coded image data is differentfrom the coded image data used to conduct authentication of the userlog-in from the client device to the server. This second coded imagedata includes encoded data that identifies the transaction to beconfirmed. It may also include a challenge for the recipient of theencoded data to answer. The encoded data may also include data withrespect to the authentication of the log-in of the interactive sessionfrom which the encoded data was generated by the server.

The server transmits the second coded image data to the client device.Subsequently, the server receives authenticating data of the transactionfrom the mobile wireless communications device in a secure communicationconnection without the authentication token being provided to the clientdevice. The authenticating data can be based on the second coded imagedata transmitted to the client device. The server can complete theconfirmation of the transaction based on the authenticating datareceived from the mobile wireless communications device. Completing theconfirmation of the transaction in the server can include comparing theidentification of the transaction generated by the server with atransaction identification received in the authenticating data of thetransaction.

Logoff of the client device from the server, relative to theauthenticated user log-in process, can be conducted in response to acommunication from the mobile communications device. Conducting thelogoff can include receiving a logoff request from the mobile wirelesscommunications device. The logoff request can include data to terminateconnection of the server and client device corresponding to the userlog-in. Conducting the logoff can include the server invalidatingcookies associated with the user log-in. Conducting the logoff caninclude the server invalidating session data cached by the clientdevice.

FIG. 4 shows a block diagram of an example embodiment of a mobilewireless communications device 415 operable to provide authentication ofa user of a client device to a server without the client device beingprovided with an authentication token. Mobile wireless communicationsdevice 415 can be structured in a manner operable with apparatus andprocesses discussed herein, such as apparatus and processes similar toor identical to apparatus and processes associated with FIGS. 1-3, 5, 6,and 7. Mobile wireless communications device 415 can include, amongother components, a processor 431, a memory 432, a camera 438, a decoder433, an encoder 434, and a communications interface 436. Processor 431can be realized as one or more processors. Memory 432, operably coupledto processor 431, can include data storage devices to store parametersto operate mobile wireless communications device 415. Mobile wirelesscommunications device 415 can include a display 439 and user controls437.

Various components of mobile wireless communications device 415 can becoupled among each other using a bus 435. Bus 435 provides electricalconductivity for transferal of signals and data among the components ofmobile wireless communications device 415. In an embodiment, bus 435 caninclude an address bus, a data bus, and a control bus, eachindependently configured. In an alternative embodiment, bus 435 usescommon conductive lines for providing one or more of address, data, orcontrol, the use of which can be regulated by processor 431. Bus 435 maybe realized as multiple busses.

Communications interface 436 can include one or more communicationsinterfaces to operate over a wired network and/or a wireless network.The communications of mobile wireless communications device 415 withexternal entities can be conducted on a secured basis. Exampleinterfaces can include a Wi-Fi interface, a USB interface, an Ethernetinterface, an infrared interface, a Bluetooth interface, an RFIDinterface, a NFC interface, an interface to operate with a wirelessservice provider, and other appropriate communication interfaces.

The components of mobile wireless communications device 415 can bestructured as independent units in mobile wireless communications device415. Various of the components of mobile wireless communications device415 can be structured as integrated or partially integrated componentsin mobile wireless communications device 415. For example, with respectto encoder 434 and decoder 433, instructions and/or parameters forencoding and decoding data to be transmitted from and received in mobilewireless communications device 415, respectively, can be incorporated inmemory 432. These instructions and/or parameters can be executed byprocessor 431. Further, encoder 434 and decoder 433 can be integratedand may be incorporated or partially incorporated in communicationsinterface 436.

Processor 431, memory 432, camera 438, decoder 433, encoder 434, andcommunications interface 436 can be arranged to operably capture animage displayed on a client device; decode the image; establish a securecommunication connection between mobile wireless communications device415 and a server; transmit to the server, via the secure communicationconnection, authenticating data of a user log-in between the clientdevice and the server without an authentication token being provided tothe client device; and conduct an activity of an interactive sessionbetween the client device and the server. The image can be an encodedpicture, a set of pictures, a 2D encoded pattern of varying structures,a 2D barcode, or other image that can be constructed to provide encodeddata. The authenticating data can be based on the decoded image. Theconducted activity can include, after the user log-in to the server, aconfirmation of a transaction of an application of the server during aninteractive session between the client device and the server. Theconducted activity can include, after the user log-in, a logoff of theinteractive session between the client device and the server. Theconfirmation or the logoff can be conducted via a communication frommobile wireless communications device 415 to the server effectivelyinstructing the server to complete the confirmation or the logoffwithout the authentication token being provided to the client device.

The confirmation of a transaction of an application of a server, duringthe interactive session of the server with a client device, can beoperably conducted with processor 431, memory 432, camera 438, decoder433, encoder 434, and communications interface 436 arranged to capturean image displayed on the client device; decode the image; generate acommunication to the server in response to the decoded image; andtransmit, to the server in the communication, authenticating data of thetransaction based on the decoded image. This transaction-based image isanother image, or second image, following the image used to authenticatelog-in from the client device to the server, where generation of thetransaction-based image occurs in the time interval after log-in andbefore log-off. The image can be an encoded picture, a set of pictures,a 2D encoded pattern of varying structures, a 2D barcode, or other imagethat can be constructed to provide encoded data. The transaction-basedimage may include authentication data from the authentication processthat opened the interactive session between the server and the clientdevice. During the interactive session between the server and the clientdevice, mobile wireless communications device 415 can operate in anumber of different transaction confirmations. Each transactionconfirmation can include mobile wireless communications device 415operating between the client device and the server such that thetransactions are confirmed without authentication tokens being providedto the client device.

Processor 431, memory 432, camera 438, decoder 433, encoder 434, andcommunications interface 436 of mobile wireless communications device415 can be arranged to operably conduct the logoff of the client devicefrom the server. Mobile wireless communications device 415 can generatea logoff request and transmit the logoff request to the server. Thelogoff request can include data to terminate the connection of theserver and the client device. This data can include data correspondingto the user log-in. Mobile wireless communications device 415 can bestructured with a plurality of log-in related applications and aplurality of transaction related applications such that mobile wirelesscommunications device 415 is operable with a plurality of servers, on anindividual basis, with respect to server sessions with a number ofdifferent client devices without authentication tokens being provided tothese client devices.

FIG. 5 shows a block diagram of an example embodiment of a server 505operable to provide authentication of a user of a client device toserver 505 without the client device being provided with anauthentication token. Server 505 can be structured in a manner operablewith apparatus and processes discussed herein, such as apparatus andprocesses similar to or identical to apparatus and processes associatedwith FIGS. 1-4, 6, and 7. Server 505 can include, among othercomponents, a processor 521, a memory 522, a decoder 523, an encoder524, and a communications interface 526. Processor 521 can be realizedas one or more processors. Memory 522, operably coupled to processor521, can include data storage devices to store parameters to operateserver 505. Server 505 may include user controls 527.

Various components of server 505 can be coupled among each other using abus 525. Bus 525 provides electrical conductivity for transferal ofsignals and data among the components of server 505. In an embodiment,bus 525 can include an address bus, a data bus, and a control bus, eachindependently configured. In an alternative embodiment, bus 525 can usecommon conductive lines for providing one or more of address, data, orcontrol, the use of which can be regulated by processor 521. Bus 525 maybe realized as multiple busses.

Communications interface 526 can include one or more communicationsinterfaces to operate over a wired network and/or a wireless network.The communications of server 505 with external entities can be conductedon a secured basis. Example interfaces can include a Wi-Fi interface, aUSB interface, an Ethernet interface, an infrared interface, a Bluetoothinterface, an RFID interface, a NFC interface, an interface to operatewith a wireless service provider, and other appropriate communicationinterfaces.

The components of server 505 can be structured as independent units inserver 505. Various components of server 505 can be structured asintegrated or partially integrated components in server 505. Forexample, with respect to encoder 524 and decoder 523, instructionsand/or parameters for encoding and decoding data to be transmitted fromand received in server 505, respectively, can be incorporated in memory522. The instructions and/or parameters can be executed by processor521. Further, encoder 524 and decoder 523 can be incorporated orpartially incorporated in communications interface 526.

Processor 521, memory 522, encoder 524, decoder 523, and communicationsinterface 526 can be arranged to operably generate coded image data,where the coded image data has data corresponding to a requested userlog-in to server 505; transmit the coded image data to a client deviceassociated with the user log-in; enter into a secure communicationconnection with a mobile wireless communications device; receive, viathe secure communication connection, authenticating data of the userlog-in between the client device and server 505 without anauthentication token being provided to the client device; enter into aninteractive session with the client device; and conduct an activity ofthe interactive session between the client device and server 505. Theinteractive session corresponds to the coded image data transmitted tothe client device for user log-in. The image can be an encoded picture,a set of pictures, a 2D encoded pattern of varying structures, a 2Dbarcode, or other image that can be constructed to provide encoded data.The authenticating data can be based on comparing the authenticatingdata with the data of the coded image data. The conducted activity caninclude, after the user log-in, a confirmation of a transaction of anapplication of the server during the interactive session between theclient device and server 505. The conducted activity can include, afterthe user log-in, a logoff of the interactive session between the clientdevice and server 505. The confirmation or the logoff can be conductedin response to a communication from the mobile wireless communicationsdevice to complete the confirmation or the logoff, where theconfirmation or the logoff are being conducted without authenticationtokens being provided to the client device.

The confirmation of a transaction of an application of server 505,during the interactive session of server 505 with a client device, canbe operably conducted with processor 521, memory 522, encoder 524,decoder 523, and communications interface 526 arranged to generate anidentification of the transaction; encode the identification into acoded image data; transmit the coded image data to the client device;receive authenticating data of the transaction from a mobile wirelesscommunications device without the authentication token being provided tothe client device, where the authenticating data is based on the codedimage data transmitted to the client device; and complete theconfirmation of the transaction based on the authenticating data. Theimage can be an encoded picture, a set of pictures, a 2D encoded patternof varying structures, a 2D barcode, or other image that can beconstructed to provide encoded data. This transaction-based coded imagedata is another coded image data, or second coded image data, followingthe generation of the coded image data used to authenticate log-in fromthe client device to server 505, where generation of thetransaction-based coded image data occurs in the time interval afterlog-in and before log-off. The transaction-based coded image data mayinclude authentication data from the authentication process that openedthe interactive session between the server and the client device. Duringthe interactive session between server 505 and the client device, server505 can operate to generate and complete a number of differenttransaction confirmations. Each transaction confirmation can includeserver 505 operating with the mobile wireless communications devicebetween the client device and server 505 such that the transactions areconfirmed without authentication tokens being provided to the clientdevice.

Processor 521, memory 522, encoder 524, decoder 523, and communicationsinterface 526 of server 505 can be arranged to operably conduct thelogoff of the client device in conjunction with the mobile wirelesscommunications device that participated in the authentication of thelog-in from the client device to server 505. Server 505 can be arrangedto invalidate cookies associated with the authenticated user log-in toconduct the logoff process. Server 505 can be arranged to invalidatesession data cached by the client device. Server 505 can execute acombination of different logoff tasks to protect the security of thedata accessible through server 505. Server 505 can be structured with aplurality of log-in applications and a plurality of transactionalapplications such that server 505 is operable with a plurality of mobilewireless communications devices, on an individual basis, with respect toserver sessions with a number of different client devices withoutauthentication tokens being provided to these client devices.

In various embodiments, secure internet sessions between a server and aclient computer can be conducted using a smartphone. The smartphoneincludes an application issued by an institution associated with theserver, where the server holds user data. The user data can include auser certificate that is linked to a unique user identification (ID) anda root certificate that is trusted. The application in the smartphoneprovides a mechanism in which the server can enter a secure session withthe client computer without using a password or sensitive data in theclient computer. The application on the smartphone can ensure that auser can access secure resources on the server from an untrusted systemsuch as the client computer. The client computer may be untrusted by theinstitution or may be untrusted by the user; for example, the clientcomputer may be a public computer in an internet café. The institutionmay be, but is not limited to, an online banking system, an e-mailservice, an online health records system, online shopping site, or othernetwork-based resource that operates on user sensitive data or assets.

FIGS. 6A-F illustrate a method of operating an application from a server605 using a client device 610 without providing an authentication tokento client device 610. The method may be conducted in accordance methodsand apparatus as taught herein. Server 605 can be structured withappropriate hardware and physically stored instructions to perform theactivities discussed herein to operate one or more applications fromserver 605 using client device 610 without providing an authenticationtoken to client device 610. Such hardware may include, but is notlimited to, processors, memory devices, wireless communication relatedhardware, and hardware to operate over a wide area network such as theInternet. As shown in FIG. 6A, a request to enter into a session isreceived in server 605 from client device 610. The request can containan identification of the requester for log-in without an authenticationtoken. Server 605 can generate an encoded image having a challenge basedon the identification. The challenge can be signed by server 605. Server605 can transmit the encoded image to client device 610. The encodedimage is shown on a display 619 of client device 610.

A mobile wireless communications device 615 running an applicationcorrelated to server 605 can capture the displayed image 612 usingcamera 618 of mobile wireless communications device 615 and may showimage 612 on its display 617. Mobile wireless communications device 615can be structured with appropriate hardware and physically storedinstructions to perform the activities discussed herein to allow server605 to operate one or more applications from server 605 using clientdevice 610 without providing an authentication token to client device610. Such hardware may include, but is not limited to , processors,memory devices, wireless communication related hardware, and,optionally, wired based hardware to couple to devices operate over awide area network such as the Internet. Displayed image 612 can be canbe an encoded picture, a set of pictures, a 2D encoded pattern ofvarying structures, a 2D barcode, or other image that can be constructedto provide encoded data. The capture can be conducted by actuating acapture image button 616 provided by the application running on mobilewireless communications device 615. Optionally, image button 616 can bedisplayed on display 617 until the session between server 605 and clientdevice 610 is completed or only be displayed at the various imagecapture times. Image 612 captured in mobile wireless communicationsdevice 615 can be decoded using the application in mobile wirelesscommunications device 615.

As shown in FIG. 6B, once mobile wireless communications device 615captures image 612, mobile wireless communications device 615 cangenerate on its display some details of the log-in request before therequester takes action to proceed in confirming the log-in. Once therequester proceeds to confirm the log-in using wireless communicationsdevice 615, a response to the challenge can be generated and a securecommunication established between mobile wireless communications device615 and server 605. Mobile wireless communications device 615 can sendappropriate data in response to the challenge to server 605 such thatserver 605 establishes a session with client device 610 for therequester as shown in FIG. 6C.

As shown in FIG. 6D, after establishing the session, the requester canoperate a data sensitive application with server 605 from client device610. In conducting the data sensitive application, the requester canperform a confirmation of a transaction with server 605 in response tothe transaction activity being received at server 605 from client device610. Server 605 can generate a new encoded image having confirmationdata. The new encoded image may include another challenge signed byserver 605. Server 605 can transmit the new encoded image 614 to clientdevice 610, which can be shown on display 619. Mobile wirelesscommunications device 615 can capture the displayed new image 614 usingcamera 618 and decode the captured image 614. Displayed image 614 can becan be an encoded picture, a set of pictures, a 2D encoded pattern ofvarying structures, a 2D barcode, or other image that can be constructedto provide encoded data.

As shown in FIG. 6E, once mobile wireless communications device 615captures image 614, mobile wireless communications device 615 cangenerate on its display 617 some details of the transaction confirmationbefore the requester takes action to proceed in confirming thetransaction. Once the requester proceeds to confirm the transaction onwireless communications device 615, wireless communications device 615can generate a response to the challenge, establish a securecommunication between mobile wireless communications device 615 andserver 605, and transmit the transaction confirmation response to server605.

As shown in FIG. 6F, when the requester decides to terminate the sessionwith server 605, a termination request can be generated from mobilewireless communications device 615 to server 605. In response to thetermination request, server 605 can send a communication to clientdevice 610 to invalidate cookies associated with the authenticatedlog-in. Server 605 also can send a communication to client device 610 toinvalidate session data cached by client device 610.

FIG. 7 shows a non-limiting example of a secure internet session betweena server and a client computer enabled by a mobile wirelesscommunications device such as a smartphone. This example can be realizedin a manner operable with apparatus and processes discussed herein, suchas apparatus and processes similar to or identical to apparatus andprocesses associated with FIGS. 1-6. At 705, a website address of auser's desired institution, such as a banking site for example, is inputusing a browser on a client computer to which the user is initiating asecure session. The page at the website address includes a sign-on pageof that institution or links to the sign-on page of that institution. At710, the website presents the sign-on page, also referred to as a log-inpage or logon page, where the sign-on page only prompts the user fortheir username or account number, which identifies the user to theinstitution. At 715, the server receives the log-in request from theclient computer. At 720, the server retrieves user data based on theusername or account number. Other non-authentication data can be used toidentify the user to the server associated with the institution.

At 725, based on the user data, the server creates a nonce. The serversigns the nonce by generating a digital signature of the nonce using anauthentication key. At 730, the server encodes the plain text nonce andits signature into a two-dimensional (2D) barcode challenge. At 735, theserver transmits this 2D barcode challenge to the client computer, wherethe browser of the client computer displays the 2D image.

At 740, with the 2D barcode displayed on the client computer, this imagecan be captured using a camera of the smartphone of the user. Thiscapture process can be realized by using the authenticating applicationfrom the institution of the server. In an embodiment, with theapplication running on the smartphone, a view from the camera and alog-in button can be presented on the display of the smartphone. Theuser points the camera at the 2D barcode generated by the server anddisplayed on the client computer and takes a picture of the barcode onthe display of the client computer using the log-in button.Alternatively, the application can be arranged such that, with theapplication running, the standard mode of taking a picture with thecamera can be used to capture the 2D barcode and the captured image canbe selected from image files in the smartphone in the authenticationprocedure of the application.

At 745, with the 2D barcode captured on the user's smartphone, theapplication on the smartphone decodes the image and verifies thesignature to confirm the nonce is authentic. At 750, the application onthe smartphone creates a log-in request, which can include the receivednonce and signs it with the user's private key. This private key can beissued to the smartphone, corresponding to the user, by the institutionthat provides the application to the smartphone. At 755, the applicationon the smartphone can establish a TLS connection to the server,authenticate the server using TLS, and send the log-in request to theserver.

At 760, the server receives the log-in request from the smartphone andverifies the user's signature and the challenge it initially sent. At765, the server logs the user in corresponding to the client computer,refreshes the web page on the client computer, and provides access tothe account in the institution corresponding to the username or accountnumber from which the authentication process was initiated. During thetime that the user is logged into the institution web page, such as abank web page, the application running in the server and the associatedapplication in the user's smartphone can also be used to confirm accounttransactions using a process similar to or identical to the process usedfor authentication of the log-in. At 770, in the confirmation process, acorresponding transaction ID can be encoded into the 2D barcode beinggenerated to initiate the confirmation process from the server. In anexample where the institution is an e-mail service, for an e-mail, aprocess similar to or identical to the abovementioned process can beused to sign e-mails to verify their authenticity.

When the secure session between the server and the client computer iscomplete, logging off from the session between the computer client andthe server can be executed from the smartphone. This log off procedurecan be realized as part of the features of the smartphone applicationthat provided the instructions to authenticate the log-in from theclient computer to the server. At, 775, the application creates a logoffrequest and signs it with the user's private key. At 780, theapplication on the smartphone establishes a TLS connection to theserver, authenticates the server using TLS, and sends the logoffrequest. At 785, the server logs the user off and invalidates cookiesassociated with the session between the server and the client computer.The server can also invalidate session data cached by the clientcomputer employed by the user.

To ensure security of the user data and user assets accessible via theserver, inadvertent failure of the user to execute logoff, using thesmartphone in accordance with the above method, can be addressed bydefault parameters in the server. The server can automatically log theuser out after a fixed time. The fixed time set in the server can be auser set parameter. The fixed time can be set by the user to a lowertime than a default time for being logged-in to the server. The user canspecify the lower time in a user interface on the user's smartphone. Thelower time limit for the session can be transmitted to the server whenthe initial session is authenticated using the smartphone. This timelimit can be a total length of time of the secure session. This timelimit can be set as a time since a last activity was conducted in theinteractive session between the client computer and the server.

Use of an authentication process as discussed herein provides for secureoperation in which no secret authentication tokens are provided to anuntrusted system. In addition, a user does not rely on the untrustedsystem to perform logout and wipe any session data, such as cookies. Inthe case of a banking application using the transaction confirmationprocess, for example, the untrusted system cannot perform transactionswithout user knowledge. The system and procedures can also be used forsigning emails without authentication tokens attached to a local system,that is, signing is performed like a transaction for banking. Thesigning of the e-mail can be authorized on the smartphone and not on theclient computer.

In various embodiments, a machine-readable storage device, such as acomputer-readable storage device, has machine-executable instructions,which when executed by a controller, such as a processor, cause a mobilewireless communications device to operate in conjunction with a serverto provide authentication of a user of a client device to a serverwithout the client device being provided with an authentication token.These instructions provide a mechanism for a mobile wirelesscommunications device to operate in a manner similar to or identical toa mobile wireless communications device associated with FIGS. 1-7. Themachine-readable storage device is not limited to any one type ofdevice. Further, a machine-readable storage device, herein, is aphysical device that stores data represented by physical structurewithin the device. Machine-readable storage devices may include, but arenot limited to, solid-state memories, optical devices, and magneticdevices. Examples of machine-readable storage devices include, but arenot limited to, read only memory (ROM), random access memory (RAM), amagnetic disk storage device, an optical storage device, a flash memory,and other electronic, magnetic, and/or optical memory-like devices.

In various embodiments, a machine-readable storage device, such as acomputer-readable storage device, has machine-executable instructions,which when executed by a controller, such as a processor, cause a serverto operate in conjunction with a mobile wireless communications deviceto provide authentication of a user of a client device to the serverwithout the client device being provided with an authentication token.These instructions provide a mechanism for the server to operate in amanner similar to or identical to a server associated with FIGS. 1-7.The machine-readable storage device is not limited to any one type ofdevice. Machine-readable storage devices may include, but are notlimited to, solid-state memories, optical devices, and magnetic devices.Examples of machine-readable storage devices include, but are notlimited to, read only memory (ROM), random access memory (RAM), amagnetic disk storage device, an optical storage device, a flash memory,and other electronic, magnetic, and/or optical memory-like devices.

Although specific embodiments have been illustrated and describedherein, it will be appreciated by those of ordinary skill in the artthat any arrangement that is calculated to achieve the same purpose maybe substituted for the specific embodiments shown. It is to beunderstood that the above description is intended to be illustrative,and not restrictive, and that the phraseology or terminology employedherein is for the purpose of description. Combinations of the aboveembodiments and other embodiments will be apparent to those of skill inthe art upon studying the above description.

1. A method comprising: conducting operations in a mobile wireless communications device using a controller of the mobile wireless communications device, the operations including: capturing an image displayed on a client device; decoding the image; establishing a secure communication connection between the mobile wireless communications device and a server; transmitting to the server, via the secure communication connection, authenticating data of a user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data being based on the decoded image; conducting, after the user log-in, a confirmation of a transaction of an application of the server during an interactive session between the client device and the server, the confirmation being conducted via a communication from the mobile wireless communications device to the server to complete the confirmation without an authentication token being provided to the client device; and generating, after the user log-in and the confirmation, a logoff request in the mobile wireless communications device to conduct a to off between the client device and the server, and transmitting the logoff request to the server, the logoff request including data to terminate connection of the server and the client device, the data corresponding to the user log-in between the client device and the server.
 2. The method of claim 1, wherein conducting the confirmation in the mobile wireless communications device includes: capturing a second image displayed on the client device during the interactive session; decoding the second image; generating a communication to the server in response to decoding the second image; and transmitting, to the server in the communication, second authenticating data of the transaction of the interactive session based on the decoded second image.
 3. The method of claim 2, wherein transmitting the second authenticating data of the transaction includes transmitting, to the server, an identification of the transaction, the identification being extracted from decoding the second image.
 4. The method of claim 1, wherein decoding the image includes decoding the image such that a plain text nonce and digital signature, generated by the server, is produced.
 5. The method of claim 1, wherein establishing the secure communication connection between the mobile wireless communications device and the server includes using transport layer security (TLS).
 6. The method of claim 1, wherein transmitting to the server authenticating data includes transmitting data that satisfies a challenge incorporated in the captured image.
 7. A method comprising: conducting operations in a server using a controller of the server, the operations including: generating coded image data, the coded image data having data corresponding to a user log-in to the server; transmitting the coded image data to a client device; entering into a secure communication connection with a mobile wireless communications device; receiving via the secure communication connection, authenticating data of the user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data based on the coded image data transmitted to the client device; entering into an interactive session with the client device, without an authentication token being provided to the client device, based on comparing the authenticating data with the data of the coded image data, the interactive session corresponding to the user log-in; conducting a confirmation of a transaction of an application of the server during the interactive session between the client device and the server, the confirmation conducted in response to a communication from the mobile wireless communications device to complete the confirmation, the confirmation being conducted without an authentication token being provided to the client device; and conducting a logoff of the client device from the server, the logoff including receiving a logoff request from the mobile wireless communications device, the logoff request including data to terminate connection of the server and client device corresponding to the user log-in between the client device and the server.
 8. The method of claim 7, wherein conducting the confirmation in the server includes: generating an identification of the transaction; encoding the identification into a second coded image data; transmitting the second coded image data to the client device; receiving second authenticating data of the transaction from the mobile wireless communications device without an authentication token being provided to the client device, the second authenticating data based on the second coded image data transmitted to the client device; and completing the confirmation of the transaction based on the second authenticating data.
 9. The method of claim 8, wherein completing the confirmation of the transaction in the server includes comparing the identification of the transaction generated by the server with a transaction identification received in the second authenticating data of the transaction.
 10. The method of claim 7, generating coded image data includes encoding a plain text nonce and digital signature.
 11. The method of claim 10, wherein conducting the logoff includes the server invalidating cookies associated with the user log-in.
 12. The method of claim 10, wherein conducting the logoff includes the server invalidating session data cached by the client device.
 13. The method of claim 7, wherein entering into a secure communication connection includes using transport layer security (TLS).
 14. The method of claim 7, wherein generating the coded image data includes incorporating a challenge in generating the coded image data.
 15. A machine-readable storage device having instructions stored thereon, which instructions, when executed by a processor, cause a mobile wireless communications device to perform operations, the operations comprising: capturing an image displayed on a client device; decoding the image; establishing a secure communication connection between the mobile wireless communications device and a server; transmitting to the server, via the secure communication connection, authenticating data of a user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data being based on the decoded image; conducting, after the user log-in, a confirmation of a transaction of an application of the server during an interactive session between the client device and the server, the confirmation being conducted via a communication from the mobile wireless communications device to the server to complete the confirmation without an authentication token being provided to the client device; and generating, after the user log-in and the confirmation, a logoff request in the mobile wireless communications device to conduct a logoff between the client device and the server, and transmitting the logoff request to the server, the logoff request including data to terminate connection of the server and the client device, the data corresponding to the user log-in between the client device and the server.
 16. The machine-readable storage device of claim 15, wherein conducting the confirmation in the mobile wireless communications device includes: capturing a second image displayed on the client device during the interactive session; decoding the second image; generating a communication to the server in response to decoding the second image; and transmitting, to the server in the communication, second authenticating data of the transaction of the interactive session based on the decoded second image.
 17. The machine-readable storage device of claim 16, wherein transmitting the second authenticating data of the transaction includes transmitting, to the server, an identification of the transaction, the identification being extracted from decoding the second image.
 18. The machine-readable storage device of claim 15, wherein decoding the image includes decoding the image such that a plain text nonce and digital signature, generated by the server, is produced.
 19. A machine-readable storage device having instructions stored thereon, which instructions, when executed by a processor, cause a server to perform operations, the operations comprising: generating coded image data, the coded image data having data corresponding to a user log-in to the server; transmitting the coded image data to a client device; entering into a secure communication connection with a mobile wireless communications device; receiving via the secure communication connection, authenticating data of the user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data based on the coded image data transmitted to the client device; entering into an interactive session with the client device, without an authentication token being provided to the client device, based on comparing the authenticating data with the data of the coded image data, the interactive session corresponding to the user log-in; conducting a confirmation of a transaction of an application of the server during the interactive session between the client device and the server, the confirmation conducted in response to a communication from the mobile wireless communications device to complete the confirmation, the confirmation being conducted without an authentication token being provided to the client device); and conducting a logoff of the client device from the server, the logoff including receiving a logoff request from the mobile wireless communications device, the logoff request including data to terminate connection of the server and client device corresponding to the user log-in between the client device and the server.
 20. The machine-readable storage device of claim 19, wherein conducting the confirmation in the server includes: generating an identification of the transaction; encoding the identification into a second coded image data; transmitting the second coded image data to the client device; receiving second authenticating data of the transaction from the mobile wireless communications device without an authentication token being provided to the client device, the authenticating data based on the second coded image data transmitted to the client device; and completing the confirmation of the transaction based on the authenticating data.
 21. The machine-readable storage device of claim 20, wherein completing the confirmation in the server includes comparing the identification of the transaction generated by the server with a transaction identification received in the second authenticating data of the transaction.
 22. The machine-readable storage device of claim 19, wherein generating coded image data includes encoding a plain text nonce and digital signature.
 23. The machine-readable storage device of claim 22, wherein conducting the logoff includes the server invalidating cookies associated with the user log-in and invalidating session data cached by the client device.
 24. A mobile wireless communications device comprising: a processor; a memory operably coupled to the processor, the memory including data storage to store parameters to operate the mobile wireless communications device; a camera; a decoder; a communications interface, wherein the processor, the memory, the camera, the decoder, and the communications interface are arranged to operably: capture an image displayed on a client device; decode the image; establish a secure communication connection between the mobile wireless communications device and a server; transmit to the server, via the secure communication connection, authenticating data of a user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data being based on the decoded image; conduct, after the user log-in, a confirmation of a transaction of an application of the server during an interactive session between the client device and the server, the confirmation being conducted via a communication from the mobile wireless communications device to the server to complete the confirmation without an authentication token being provided to the client device; and generate, after the user log-in and the confirmation, a logoff request in the mobile wireless communications device to conduct a logoff between the client device and the server, and transmit the logoff request to the server, the logoff request including data to terminate connection of the server and the client device, the data corresponding to the user log-in between the client device and the server.
 25. The mobile wireless communications device of claim 24, wherein the processor, the memory, the camera, the decoder, and the communications interface are arranged to operatively conduct the confirmation in the mobile wireless communications device to: capture a second image displayed on the client device during the interactive session; decode the second image; generate a communication to the server in response to decoded second image; and provide, to the server in the communication, second authenticating data of the transaction based on the decoded second image.
 26. The mobile wireless communications device of claim 24, wherein the processor, the memory, the camera, the decoder, and the communications interface are arranged to operatively decode the image by decoding the image such that a plain text nonce and digital signature, generated by the server, is produced.
 27. A server comprising: a processor; a memory operably coupled to the processor, the memory including data storage to store parameters to operate the server; an encoder; a communications interface, wherein the processor, the memory, the encoder, and the communications interface are arranged to operably: generate coded image data, the coded image data having data corresponding to a user log-in to the server; transmit the coded image data to a client device; enter into a secure communication connection with a mobile wireless communications device; receive via the secure communication connection, authenticating data of the user log-in between the client device and the server without an authentication token, corresponding to the user log-in, being provided to the client device, the authenticating data based on the coded image data transmitted to the client device; enter into an interactive session with the client device, without an authentication token being provided to the client device, based on comparing the authenticating data with the data of the coded image data, the interactive session corresponding to the user log-in; conduct a confirmation of a transaction of an application of the server during the interactive session between the client device and the server, the confirmation conducted in response to a communication from the mobile wireless communications device to complete the confirmation, the confirmation being conducted without an authentication token being provided to the client device; and conduct a logoff of the client device from the server, the logoff including receiving a logoff request from the mobile wireless communications device, the logoff request including data to terminate connection of the server and client device corresponding to the user log-in between the client device and the server.
 28. The server of claim 27, wherein the processor, the memory, the encoder, and the communications interface are arranged to operably conduct the confirmation in the server to: generate an identification of the transaction; encode the identification into a second coded image data; transmit the second coded image data to the client device; receive second authenticating data of the transaction from the mobile wireless communications device without an authentication token being provided to the client device, the second authenticating data based on the second coded image data transmitted to the client device; and complete the confirmation of the transaction based on the second authenticating data.
 29. The server of claim 27, wherein the server is arranged to generate the coded image data by encoding a plain text nonce and digital signature.
 30. The server of claim 27, wherein the server is operable to invalidate session data cached by the client device in execution of the logoff. 